-
-
Save inoperable/41dcbce6a7b5b3aa7cf7c4072c6e2f18 to your computer and use it in GitHub Desktop.
Revisions
-
Neo23x0 revised this gist
Sep 25, 2018 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,8 @@ # IMPORTANT! # This gist has been transformed into a github repo # You can find the most recent version there: # https://github.com/Neo23x0/auditd # ___ ___ __ __ # / | __ ______/ (_) /_____/ / # / /| |/ / / / __ / / __/ __ / -
Aug 5, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,7 +10,7 @@ # Compiled by Florian Roth # # Created : 2017/12/05 # Modified : 2018/08/05 # # Based on rules published here: # Gov.uk auditd rules -
Aug 5, 2018 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -325,9 +325,11 @@ -w /usr/bin/rpm -p x -k software_mgmt -w /usr/bin/yum -p x -k software_mgmt # YAST/Zypper/RPM (SuSE) -w /sbin/yast -p x -k yast -w /sbin/yast2 -p x -k yast -w /bin/rpm -p x -k software_mgmt -w /usr/bin/zypper -k software_mgmt # DPKG / APT-GET (Debian/Ubuntu) -w /usr/bin/dpkg -p x -k software_mgmt -
Feb 13, 2018 . 1 changed file with 21 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,7 +10,7 @@ # Compiled by Florian Roth # # Created : 2017/12/05 # Modified : 2018/02/13 # # Based on rules published here: # Gov.uk auditd rules @@ -27,7 +27,6 @@ # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules # For NISPOM compliance see: # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules # Remove any existing rules -D @@ -210,6 +209,10 @@ ## SSH configuration -w /etc/ssh/sshd_config -k sshd # Systemd -w /bin/systemctl -p x -k systemd -w /etc/systemd/ -p wa -k systemd ## SELinux events that modify the system's Mandatory Access Controls (MAC) -w /etc/selinux/ -p wa -k mac_policy @@ -316,6 +319,22 @@ ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k power_abuse # Software Management --------------------------------------------------------- # RPM (Redhat/CentOS) -w /usr/bin/rpm -p x -k software_mgmt -w /usr/bin/yum -p x -k software_mgmt # YAST (SuSE) -w /sbin/yast -p x -k yast -w /sbin/yast2 -p x -k yast # DPKG / APT-GET (Debian/Ubuntu) -w /usr/bin/dpkg -p x -k software_mgmt -w /usr/bin/apt-add-repository -p x -k software_mgmt -w /usr/bin/apt-get -p x -k software_mgmt -w /usr/bin/aptitude -p x -k software_mgmt # Special Software ------------------------------------------------------------ ## GDS specific secrets -
Jan 30, 2018 . 1 changed file with 51 additions and 12 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,7 +10,7 @@ # Compiled by Florian Roth # # Created : 2017/12/05 # Modified : 2018/01/30 # # Based on rules published here: # Gov.uk auditd rules @@ -87,6 +87,12 @@ -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 ### High Volume Event Filter (especially on Linux Workstations) -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm ## More information on how to filter events ### https://access.redhat.com/solutions/2482221 @@ -197,9 +203,6 @@ -w /etc/security/namespace.conf -p wa -k pam -w /etc/security/namespace.init -p wa -k pam ## Postfix configuration -w /etc/aliases -p wa -k mail -w /etc/postfix/ -p wa -k mail @@ -211,14 +214,14 @@ -w /etc/selinux/ -p wa -k mac_policy ## Critical elements access failures -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileaccess -a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess -a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileaccess -a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess ## Process ID change (switching accounts) applications -w /bin/su -p x -k priv_esc @@ -273,6 +276,30 @@ ### bit API. -a always,exit -F arch=b32 -S all -k 32bit_api ## Reconnaissance -w /usr/bin/whoami -p x -k recon -w /etc/issue -p r -k recon -w /etc/hostname -p r -k recon ## Suspicious activity -w /usr/bin/wget -p x -k susp_activity -w /usr/bin/curl -p x -k susp_activity -w /usr/bin/base64 -p x -k susp_activity -w /bin/nc -p x -k susp_activity -w /bin/netcat -p x -k susp_activity -w /usr/bin/ncat -p x -k susp_activity -w /usr/bin/ssh -p x -k susp_activity -w /usr/bin/socat -p x -k susp_activity -w /usr/bin/wireshark -p x -k susp_activity -w /usr/bin/rawshark -p x -k susp_activity -w /usr/bin/rdesktop -p x -k sbin_susp ## Sbin suspicious activity -w /sbin/iptables -p x -k sbin_susp -w /sbin/ifconfig -p x -k sbin_susp -w /usr/sbin/tcpdump -p x -k sbin_susp -w /usr/sbin/traceroute -p x -k sbin_susp ## Injection ### These rules watch for code injection by the ptrace facility. ### This could indicate someone trying to do something bad or just debugging @@ -289,6 +316,18 @@ ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k power_abuse # Special Software ------------------------------------------------------------ ## GDS specific secrets -w /etc/puppet/ssl -p wa -k puppet_ssl ## IBM Bigfix BESClient -a exit,always -F arch=b64 -S open -F dir=/opt/BESClient -F success=0 -k soft_besclient -w /var/opt/BESClient/ -p wa -k soft_besclient ## CHEF https://www.chef.io/chef/ -w /etc/chef -p wa -k soft_chef # High volume events ---------------------------------------------------------- ## Remove them if the cause to much volumen in your einvironment -
Dec 13, 2017 . 1 changed file with 16 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -96,20 +96,29 @@ -w /etc/sysctl.conf -p wa -k sysctl ## Kernel module loading and unloading -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules -a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules -a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules ## Modprobe configuration -w /etc/modprobe.conf -p wa -k modprobe ## KExec usage (all actions) -a always,exit -F arch=b64 -S kexec_load -k KEXEC -a always,exit -F arch=b32 -S sys_kexec_load -k KEXEC ## Special files -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles ## Mount operations (only attributable) -a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount -a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k mount # Change swap (only attributable) -a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap -a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap ## Time -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time -
Dec 13, 2017 . 1 changed file with 72 additions and 65 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,9 @@ # ___ ___ __ __ # / | __ ______/ (_) /_____/ / # / /| |/ / / / __ / / __/ __ / # / ___ / /_/ / /_/ / / /_/ /_/ / # /_/ |_\__,_/\__,_/_/\__/\__,_/ # # Linux Audit Daemon - Best Practice Configuration # /etc/audit/audit.rules # @@ -40,82 +46,81 @@ # Self Auditing --------------------------------------------------------------- ## Audit the audit logs ### Successful and unsuccessful attempts to read information from the audit records -w /var/log/audit/ -k auditlog ## Auditd configuration ### Modifications to audit configuration that occur while the audit collection functions are operating -w /etc/audit/ -p wa -k auditconfig -w /etc/libaudit.conf -p wa -k auditconfig -w /etc/audisp/ -p wa -k audispconfig ## Monitor for use of audit management tools -w /sbin/auditctl -p x -k audittools -w /sbin/auditd -p x -k audittools # Filters --------------------------------------------------------------------- ### We put these early because audit is a first match wins system. ## Ignore SELinux AVC records -a always,exclude -F msgtype=AVC ## Ignore current working directory records -a always,exclude -F msgtype=CWD ## Ignore EOE records (End Of Event, not needed) -a always,exclude -F msgtype=EOE ## Cron jobs fill the logs with stuff we normally don't want (works with SELinux) -a never,user -F subj_type=crond_t -a exit,never -F subj_type=crond_t ## This prevents chrony from overwhelming the logs -a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t ## This is not very interesting and wastes a lot of space if the server is public facing -a always,exclude -F msgtype=CRYPTO_KEY_USER ## VMWare tools -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 ## More information on how to filter events ### https://access.redhat.com/solutions/2482221 # Rules ----------------------------------------------------------------------- ## Kernel parameters -w /etc/sysctl.conf -p wa -k sysctl ## Kernel module loading and unloading -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules ## Modprobe configuration -w /etc/modprobe.conf -p wa -k modprobe ## Special files -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles ## Mount operations -a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount -a exit,always -F arch=b64 -S mount -S umount2 -k mount ## Time -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time ### Local time zone -w /etc/localtime -p wa -k localtime ## Stunnel -w /usr/sbin/stunnel -p x -k stunnel ## Cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k cron -w /etc/cron.deny -p wa -k cron -w /etc/cron.d/ -p wa -k cron @@ -126,77 +131,77 @@ -w /etc/crontab -p wa -k cron -w /var/spool/cron/crontabs/ -k cron ## User, group, password databases -w /etc/group -p wa -k etcgroup -w /etc/passwd -p wa -k etcpasswd -w /etc/gshadow -k etcgroup -w /etc/shadow -k etcpasswd -w /etc/security/opasswd -k opasswd ## Sudoers file changes -w /etc/sudoers -p wa -k actions ## Passwd -w /usr/bin/passwd -p x -k passwd_modification ## Tools to change group identifiers -w /usr/sbin/groupadd -p x -k group_modification -w /usr/sbin/groupmod -p x -k group_modification -w /usr/sbin/addgroup -p x -k group_modification -w /usr/sbin/useradd -p x -k user_modification -w /usr/sbin/usermod -p x -k user_modification -w /usr/sbin/adduser -p x -k user_modification ## Login configuration and information -w /etc/login.defs -p wa -k login -w /etc/securetty -p wa -k login -w /var/log/faillog -p wa -k login -w /var/log/lastlog -p wa -k login -w /var/log/tallylog -p wa -k login ## Network Environment ### Changes to hostname -a always,exit -F arch=b32 -S sethostname -S setdomainname -k network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications ### Changes to other files -w /etc/hosts -p wa -k network_modifications -w /etc/sysconfig/network -p wa -k network_modifications -w /etc/network/ -p wa -k network -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications -w /etc/sysconfig/network -p wa -k network_modifications ### Changes to issue -w /etc/issue -p wa -k etcissue -w /etc/issue.net -p wa -k etcissue ## System startup scripts -w /etc/inittab -p wa -k init -w /etc/init.d/ -p wa -k init -w /etc/init/ -p wa -k init ## Library search paths -w /etc/ld.so.conf -p wa -k libpath ## Pam configuration -w /etc/pam.d/ -p wa -k pam -w /etc/security/limits.conf -p wa -k pam -w /etc/security/pam_env.conf -p wa -k pam -w /etc/security/namespace.conf -p wa -k pam -w /etc/security/namespace.init -p wa -k pam ## GDS specific secrets -w /etc/puppet/ssl -p wa -k puppet_ssl ## Postfix configuration -w /etc/aliases -p wa -k mail -w /etc/postfix/ -p wa -k mail ## SSH configuration -w /etc/ssh/sshd_config -k sshd ## SELinux events that modify the system's Mandatory Access Controls (MAC) -w /etc/selinux/ -p wa -k mac_policy ## Critical elements access failures -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess @@ -206,23 +211,23 @@ -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess ## Process ID change (switching accounts) applications -w /bin/su -p x -k priv_esc -w /usr/bin/sudo -p x -k priv_esc -w /etc/sudoers -p rw -k priv_esc ## Power state -w /sbin/shutdown -p x -k power -w /sbin/poweroff -p x -k power -w /sbin/reboot -p x -k power -w /sbin/halt -p x -k power ## Session initiation information -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session ## Discretionary Access Control (DAC) modifications -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -252,17 +257,17 @@ # Special Rules --------------------------------------------------------------- ## 32bit API Exploitation ### If you are on a 64 bit platform, everything _should_ be running ### in 64 bit mode. This rule will detect any use of the 32 bit syscalls ### because this might be a sign of someone exploiting a hole in the 32 ### bit API. -a always,exit -F arch=b32 -S all -k 32bit_api ## Injection ### These rules watch for code injection by the ptrace facility. ### This could indicate someone trying to do something bad or just debugging -a always,exit -F arch=b32 -S ptrace -k tracing -a always,exit -F arch=b64 -S ptrace -k tracing -a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection @@ -271,38 +276,40 @@ -a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection ## Privilege Abuse ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k power_abuse # High volume events ---------------------------------------------------------- ## Remove them if the cause to much volumen in your einvironment ## Root command executions -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd ## File Deletion Events by User -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete ## File Access ### Unauthorized Access (unsuccessful) -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access ### Unsuccessful Creation -a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation -a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation -a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation ### Unsuccessful Modification -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification # Make the configuration immutable -------------------------------------------- ##-e 2 -
Dec 13, 2017 . 1 changed file with 17 additions and 14 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,24 +1,27 @@ # Linux Audit Daemon - Best Practice Configuration # /etc/audit/audit.rules # # Compiled by Florian Roth # # Created : 2017/12/05 # Modified : 2017/12/13 # # Based on rules published here: # Gov.uk auditd rules # https://github.com/gds-operations/puppet-auditd/pull/1 # CentOS 7 hardening # https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon # Linux audit repo # https://github.com/linux-audit/audit-userspace/tree/master/rules # Auditd high performance linux auditing # https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/ # # Further rules # For PCI DSS compliance see: # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules # For NISPOM compliance see: # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules # # Remove any existing rules -D -
Dec 13, 2017 . 1 changed file with 11 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -56,8 +56,18 @@ # This is for don't audit rules. We put these early because audit # is a first match wins system. # Ignore SELinux AVC records -a always,exclude -F msgtype=AVC # Ignore current working directory records -a always,exclude -F msgtype=CWD # Ignore EOE records (End Of Event, not needed) -a always,exclude -F msgtype=EOE # Cron jobs fill the logs with stuff we normally don't want (works with SELinux) -a never,user -F subj_type=crond_t -a exit,never -F subj_type=crond_t # This prevents chrony from overwhelming the logs #-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t -
Dec 5, 2017 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -244,7 +244,7 @@ ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls ## because this might be a sign of someone exploiting a hole in the 32 ## bit API. -a always,exit -F arch=b32 -S all -k 32bit_api # Injection ## These rules watch for code injection by the ptrace facility. -
Dec 5, 2017 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # Linux Audit Daemon - Best Practice Configuration # /etc/audit/audit.rules # # Based on rules published here: @@ -17,7 +17,8 @@ # For NISPOM compliance see: # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules # # Compiled by Florian Roth # 2017/12/05 # Remove any existing rules -D -
Dec 5, 2017 . 1 changed file with 15 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,6 +8,8 @@ # https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon # Linux audit repo # https://github.com/linux-audit/audit-userspace/tree/master/rules # Auditd high performance linux auditing # https://linux-audit.com/tuning-auditd-high-performance-linux-auditing/ # # Further rules # For PCI DSS compliance see: @@ -50,18 +52,25 @@ # Filters --------------------------------------------------------------------- # This is for don't audit rules. We put these early because audit # is a first match wins system. # Cron jobs fill the logs with stuff we normally don't want -a never,user -F subj_type=crond_t # This prevents chrony from overwhelming the logs #-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t # This is not very interesting and wastes a lot of space if the server is public facing -a always,exclude -F msgtype=CRYPTO_KEY_USER # VMWare tools -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 # More information on how to filter events # https://access.redhat.com/solutions/2482221 # Rules ----------------------------------------------------------------------- # Kernel parameters @@ -248,7 +257,7 @@ -a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection # Privilege Abuse ## The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k power_abuse -
Dec 5, 2017 . 1 changed file with 36 additions and 45 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -21,13 +21,17 @@ -D # Buffer Size ## Feel free to increase this if the machine panic's -b 8192 # Failure Mode ## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system) -f 1 # Ignore errors ## e.g. caused by users or files not found in the local environment -i # Self Auditing --------------------------------------------------------------- # Audit the audit logs @@ -47,13 +51,13 @@ # Filters --------------------------------------------------------------------- ## This is for don't audit rules. We put these early because audit ## is a first match wins system. ## Cron jobs fill the logs with stuff we normally don't want -a never,user -F subj_type=crond_t ## This prevents chrony from overwhelming the logs #-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t ## This is not very interesting and wastes a lot of space if the server is public facing -a always,exclude -F msgtype=CRYPTO_KEY_USER @@ -167,7 +171,7 @@ -w /etc/ssh/sshd_config -k sshd # SELinux events that modify the system's Mandatory Access Controls (MAC) -w /etc/selinux/ -p wa -k mac_policy # Critical elements access failures -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess @@ -197,42 +201,30 @@ # Discretionary Access Control (DAC) modifications -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod # Special Rules --------------------------------------------------------------- @@ -242,34 +234,33 @@ ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls ## because this might be a sign of someone exploiting a hole in the 32 ## bit API. -a always,exit -F arch=b32 -S all -k 32bit_abi # Injection ## These rules watch for code injection by the ptrace facility. ## This could indicate someone trying to do something bad or just debugging #-a always,exit -F arch=b32 -S ptrace -k tracing -a always,exit -F arch=b64 -S ptrace -k tracing -a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection -a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection -a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection # Privilege abuse ## The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k power_abuse # High volume events ---------------------------------------------------------- # Root command executions -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd # File Deletion Events by User -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete # File Access ## Unauthorized Access (unsuccessful) @@ -279,16 +270,16 @@ -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access ## Unsuccessful Creation -a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation -a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation -a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation ## Unsuccessful Modification -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification # Make the configuration immutable -------------------------------------------- #-e 2 -
Dec 5, 2017 . 1 changed file with 124 additions and 60 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,71 +1,94 @@ # Linux Audit Daemon practice configuration # /etc/audit/audit.rules # # Based on rules published here: # Gov.uk auditd rules # https://github.com/gds-operations/puppet-auditd/pull/1 # CentOS 7 hardening # https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon # Linux audit repo # https://github.com/linux-audit/audit-userspace/tree/master/rules # # Further rules # For PCI DSS compliance see: # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules # For NISPOM compliance see: # https://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules # # Compiled by Florian Roth, Dec 2017 # Remove any existing rules -D # Buffer Size # Feel free to increase this if the machine panic's -b 8192 # Failure Mode # Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system) -f 1 # Self Auditing --------------------------------------------------------------- # Audit the audit logs ## Successful and unsuccessful attempts to read information from the audit records -w /var/log/audit/ -k auditlog # Auditd configuration ## Modifications to audit configuration that occur while the audit collection functions are operating -w /etc/audit/ -p wa -k auditconfig -w /etc/libaudit.conf -p wa -k auditconfig -w /etc/audisp/ -p wa -k audispconfig # Monitor for use of audit management tools -w /sbin/auditctl -p x -k audittools -w /sbin/auditd -p x -k audittools # Filters --------------------------------------------------------------------- ## This is for don't audit rules. We put these early because audit ## is a first match wins system. Uncomment the rules you want. ## Cron jobs fill the logs with stuff we normally don't want -a never,user -F subj_type=crond_t ## This prevents chrony from overwhelming the logs -a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t ## This is not very interesting and wastes a lot of space if the server is public facing -a always,exclude -F msgtype=CRYPTO_KEY_USER # Rules ----------------------------------------------------------------------- # Kernel parameters -w /etc/sysctl.conf -p wa -k sysctl # Kernel module loading and unloading -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules # Modprobe configuration -w /etc/modprobe.conf -p wa -k modprobe # Special files -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles # Mount operations -a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount -a exit,always -F arch=b64 -S mount -S umount2 -k mount # Time -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time ## Local time zone -w /etc/localtime -p wa -k localtime # Stunnel -w /usr/sbin/stunnel -p x -k stunnel # Cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k cron -w /etc/cron.deny -p wa -k cron -w /etc/cron.d/ -p wa -k cron @@ -76,75 +99,77 @@ -w /etc/crontab -p wa -k cron -w /var/spool/cron/crontabs/ -k cron # User, group, password databases -w /etc/group -p wa -k etcgroup -w /etc/passwd -p wa -k etcpasswd -w /etc/gshadow -k etcgroup -w /etc/shadow -k etcpasswd -w /etc/security/opasswd -k opasswd # Sudoers file changes -w /etc/sudoers -p wa -k actions # Passwd -w /usr/bin/passwd -p x -k passwd_modification # Tools to change group identifiers -w /usr/sbin/groupadd -p x -k group_modification -w /usr/sbin/groupmod -p x -k group_modification -w /usr/sbin/addgroup -p x -k group_modification -w /usr/sbin/useradd -p x -k user_modification -w /usr/sbin/usermod -p x -k user_modification -w /usr/sbin/adduser -p x -k user_modification # Login configuration and information -w /etc/login.defs -p wa -k login -w /etc/securetty -p wa -k login -w /var/log/faillog -p wa -k login -w /var/log/lastlog -p wa -k login -w /var/log/tallylog -p wa -k login # Network Environment ## Changes to hostname -a always,exit -F arch=b32 -S sethostname -S setdomainname -k network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications ## Changes to other files -w /etc/hosts -p wa -k network_modifications -w /etc/sysconfig/network -p wa -k network_modifications -w /etc/network/ -p wa -k network -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications -w /etc/sysconfig/network -p wa -k network_modifications ## Changes to issue -w /etc/issue -p wa -k etcissue -w /etc/issue.net -p wa -k etcissue # System startup scripts -w /etc/inittab -p wa -k init -w /etc/init.d/ -p wa -k init -w /etc/init/ -p wa -k init # Library search paths -w /etc/ld.so.conf -p wa -k libpath # Pam configuration -w /etc/pam.d/ -p wa -k pam -w /etc/security/limits.conf -p wa -k pam -w /etc/security/pam_env.conf -p wa -k pam -w /etc/security/namespace.conf -p wa -k pam -w /etc/security/namespace.init -p wa -k pam # GDS specific secrets -w /etc/puppet/ssl -p wa -k puppet_ssl # Postfix configuration -w /etc/aliases -p wa -k mail -w /etc/postfix/ -p wa -k mail # SSH configuration -w /etc/ssh/sshd_config -k sshd # SELinux events that modify the system's Mandatory Access Controls (MAC) -w /etc/selinux/ -p wa -k MAC-policy # Critical elements access failures -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess @@ -154,12 +179,12 @@ -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess # Process ID change (switching accounts) applications -w /bin/su -p x -k priv_esc -w /usr/bin/sudo -p x -k priv_esc -w /etc/sudoers -p rw -k priv_esc # Power state -w /sbin/shutdown -p x -k power -w /sbin/poweroff -p x -k power -w /sbin/reboot -p x -k power @@ -170,7 +195,7 @@ -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session # Discretionary Access Control (DAC) modifications -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -210,21 +235,60 @@ -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod # Special Rules --------------------------------------------------------------- # 32bit API Exploitation ## If you are on a 64 bit platform, everything _should_ be running ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls ## because this might be a sign of someone exploiting a hole in the 32 ## bit API. -a always,exit -F arch=b32 -S all -F key=32bit-abi # Injection ## These rules watch for code injection by the ptrace facility. ## This could indicate someone trying to do something bad or just debugging #-a always,exit -F arch=b32 -S ptrace -F key=tracing -a always,exit -F arch=b64 -S ptrace -F key=tracing -a always,exit -F arch=b32 -S ptrace -F a0=0x4 -F key=code-injection -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection -a always,exit -F arch=b32 -S ptrace -F a0=0x5 -F key=data-injection -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection -a always,exit -F arch=b32 -S ptrace -F a0=0x6 -F key=register-injection -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection # Privilege abuse ## The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse # High volume events ---------------------------------------------------------- ## Optional - evaluate the log volume in your environment # Root command executions -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd # File Deletion Events by User -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete # File Access ## Unauthorized Access (unsuccessful) -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access ## Unsuccessful Creation -a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F -k file_creation -a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F -k file_creation -a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F -k file_creation -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F -k file_creation ## Unsuccessful Modification -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F -k file_modification -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F -k file_modification -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F -k file_modification -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F -k file_modification # Make the configuration immutable -------------------------------------------- #-e 2 -
Dec 5, 2017 . 1 changed file with 96 additions and 28 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,11 @@ ## Linux Audit Daemon practice configuration ## /etc/audit/audit.rules ## ## Based on rules published here: ## Gov.uk auditd rules ## https://github.com/gds-operations/puppet-auditd/pull/1 ## CentOS 7 hardening ## https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon ## ## Compiled by Florian Roth, Dec 2017 @@ -34,6 +37,17 @@ -w /sbin/auditctl -p x -k audittools -w /sbin/auditd -p x -k audittools ## Kernel parameters -w /etc/sysctl.conf -p wa -k sysctl ## Kernel module loading and unloading -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules ## Modprobe configuration -w /etc/modprobe.conf -p wa -k modprobe ## Special files -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles @@ -42,11 +56,13 @@ -a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount -a exit,always -F arch=b64 -S mount -S umount2 -k mount ## Time -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time ## Local time zone -w /etc/localtime -p wa -k localtime ## Stunnel -w /usr/sbin/stunnel -p x -k stunnel ## Cron configuration & scheduled jobs @@ -67,10 +83,13 @@ -w /etc/shadow -k etcpasswd -w /etc/security/opasswd -k opasswd ## Sudoers file changes -w /etc/sudoers -p wa -k actions ## Passwd -w /usr/bin/passwd -p x -k passwd_modification ## Tools to change group identifiers -w /usr/sbin/groupadd -p x -k group_modification -w /usr/sbin/groupmod -p x -k group_modification -w /usr/sbin/addgroup -p x -k group_modification @@ -85,9 +104,17 @@ -w /var/log/lastlog -p wa -k login -w /var/log/tallylog -p wa -k login ## Network Environment ## Changes to hostname -a always,exit -F arch=b32 -S sethostname -S setdomainname -k network_modifications -a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications ## Changes to other files -w /etc/hosts -p wa -k network_modifications -w /etc/sysconfig/network -p wa -k network_modifications -w /etc/network/ -p wa -k network ## Changes to issue -w /etc/issue -p wa -k etcissue -w /etc/issue.net -p wa -k etcissue ## System startup scripts -w /etc/inittab -p wa -k init @@ -97,15 +124,6 @@ ## Library search paths -w /etc/ld.so.conf -p wa -k libpath ## Pam configuration -w /etc/pam.d/ -p wa -k pam -w /etc/security/limits.conf -p wa -k pam @@ -123,15 +141,10 @@ ## SSH configuration -w /etc/ssh/sshd_config -k sshd ## SELinux events that modify the system's Mandatory Access Controls (MAC) -w /etc/selinux/ -p wa -k MAC-policy ## Critical elements access failures -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess @@ -141,22 +154,77 @@ -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess ## Process ID change (switching accounts) applications -w /bin/su -p x -k priv_esc -w /usr/bin/sudo -p x -k priv_esc -w /etc/sudoers -p rw -k priv_esc ## Power state -w /sbin/shutdown -p x -k power -w /sbin/poweroff -p x -k power -w /sbin/reboot -p x -k power -w /sbin/halt -p x -k power # Session initiation information -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session ## Discretionary Access Control (DAC) modifications -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod ## High volume events ---------------------------------------------------------- ## Optional - evaluate the log volume in your environment ## Root command executions -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd ## File Deletion Events by User -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete ## Unauthorized Access Attempts to Files (unsuccessful) -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access ## Make the configuration immutable -------------------------------------------- ##-e 2 -
Dec 5, 2017 . 1 changed file with 49 additions and 49 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,55 +1,55 @@ ## Linux Audit Daemon - best practice configuration ## /etc/audit/audit.rules ## ## Based on gov.uk auditd rules published here: ## https://github.com/gds-operations/puppet-auditd/pull/1 ## ## Compiled by Florian Roth, Dec 2017 ## Remove any existing rules -D ## Buffer Size ## Feel free to increase this if the machine panic's -b 8192 ## Failure Mode ## Possible values are 0 (silent), 1 (printk, print a failure message), ## and 2 (panic, halt the system). -f 1 ## Audit the audit logs. ## Successful and unsuccessful attempts to read information from the ## Audit records; all modifications to the audit trail -w /var/log/audit/ -k auditlog ## Auditd configuration ## Modifications to audit configuration that occur while the audit ## Collection functions are operating. -w /etc/audit/ -p wa -k auditconfig -w /etc/libaudit.conf -p wa -k auditconfig -w /etc/audisp/ -p wa -k audispconfig ## Monitor for use of audit management tools -w /sbin/auditctl -p x -k audittools -w /sbin/auditd -p x -k audittools ## Special files -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles ## Mount operations -a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount -a exit,always -F arch=b64 -S mount -S umount2 -k mount ## Changes to the time -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time ## Use stunnel -w /usr/sbin/stunnel -p x -k stunnel ## Cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k cron -w /etc/cron.deny -p wa -k cron -w /etc/cron.d/ -p wa -k cron @@ -60,78 +60,78 @@ -w /etc/crontab -p wa -k cron -w /var/spool/cron/crontabs/ -k cron ## User, group, password databases -w /etc/group -p wa -k etcgroup -w /etc/passwd -p wa -k etcpasswd -w /etc/gshadow -k etcgroup -w /etc/shadow -k etcpasswd -w /etc/security/opasswd -k opasswd ## Monitor usage of passwd -w /usr/bin/passwd -p x -k passwd_modification ## Monitor for use of tools to change group identifiers -w /usr/sbin/groupadd -p x -k group_modification -w /usr/sbin/groupmod -p x -k group_modification -w /usr/sbin/addgroup -p x -k group_modification -w /usr/sbin/useradd -p x -k user_modification -w /usr/sbin/usermod -p x -k user_modification -w /usr/sbin/adduser -p x -k user_modification ## Login configuration and information -w /etc/login.defs -p wa -k login -w /etc/securetty -p wa -k login -w /var/log/faillog -p wa -k login -w /var/log/lastlog -p wa -k login -w /var/log/tallylog -p wa -k login ## Network configuration -w /etc/hosts -p wa -k hosts -w /etc/network/ -p wa -k network ## System startup scripts -w /etc/inittab -p wa -k init -w /etc/init.d/ -p wa -k init -w /etc/init/ -p wa -k init ## Library search paths -w /etc/ld.so.conf -p wa -k libpath ## Local time zone -w /etc/localtime -p wa -k localtime ## Kernel parameters -w /etc/sysctl.conf -p wa -k sysctl ## Modprobe configuration -w /etc/modprobe.conf -p wa -k modprobe ## Pam configuration -w /etc/pam.d/ -p wa -k pam -w /etc/security/limits.conf -p wa -k pam -w /etc/security/pam_env.conf -p wa -k pam -w /etc/security/namespace.conf -p wa -k pam -w /etc/security/namespace.init -p wa -k pam ## GDS specific secrets -w /etc/puppet/ssl -p wa -k puppet_ssl ## Postfix configuration -w /etc/aliases -p wa -k mail -w /etc/postfix/ -p wa -k mail ## SSH configuration -w /etc/ssh/sshd_config -k sshd ## Changes to hostname -a exit,always -F arch=b32 -S sethostname -k hostname -a exit,always -F arch=b64 -S sethostname -k hostname ## Changes to issue -w /etc/issue -p wa -k etcissue -w /etc/issue.net -p wa -k etcissue ## Capture all failures to access on critical elements -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess @@ -141,22 +141,22 @@ -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess ## Monitor for use of process ID change (switching accounts) applications -w /bin/su -p x -k priv_esc -w /usr/bin/sudo -p x -k priv_esc -w /etc/sudoers -p rw -k priv_esc ## Monitor usage of commands to change power state -w /sbin/shutdown -p x -k power -w /sbin/poweroff -p x -k power -w /sbin/reboot -p x -k power -w /sbin/halt -p x -k power ## High volume events ---------------------------------------------------------- ## Log all commands executed by an effective id of 0 aka root. -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd ## Make the configuration immutable -------------------------------------------- ##-e 2 -
Dec 5, 2017 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Dec 5, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,162 @@ # Linux Audit Daemon - best practice configuration # /etc/audit/audit.rules # # Based on gov.uk auditd rules published here: # https://github.com/gds-operations/puppet-auditd/pull/1 # # Compiled by Florian Roth, Dec 2017 # Remove any existing rules -D # Buffer Size # Feel free to increase this if the machine panic's -b 8192 # Failure Mode # Possible values are 0 (silent), 1 (printk, print a failure message), # and 2 (panic, halt the system). -f 1 # Audit the audit logs. # Successful and unsuccessful attempts to read information from the # Audit records; all modifications to the audit trail -w /var/log/audit/ -k auditlog # Auditd configuration # Modifications to audit configuration that occur while the audit # Collection functions are operating. -w /etc/audit/ -p wa -k auditconfig -w /etc/libaudit.conf -p wa -k auditconfig -w /etc/audisp/ -p wa -k audispconfig # Monitor for use of audit management tools -w /sbin/auditctl -p x -k audittools -w /sbin/auditd -p x -k audittools # Special files -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles # Mount operations -a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount -a exit,always -F arch=b64 -S mount -S umount2 -k mount # Changes to the time -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time # Use stunnel -w /usr/sbin/stunnel -p x -k stunnel # Cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k cron -w /etc/cron.deny -p wa -k cron -w /etc/cron.d/ -p wa -k cron -w /etc/cron.daily/ -p wa -k cron -w /etc/cron.hourly/ -p wa -k cron -w /etc/cron.monthly/ -p wa -k cron -w /etc/cron.weekly/ -p wa -k cron -w /etc/crontab -p wa -k cron -w /var/spool/cron/crontabs/ -k cron # User, group, password databases -w /etc/group -p wa -k etcgroup -w /etc/passwd -p wa -k etcpasswd -w /etc/gshadow -k etcgroup -w /etc/shadow -k etcpasswd -w /etc/security/opasswd -k opasswd # Monitor usage of passwd -w /usr/bin/passwd -p x -k passwd_modification # Monitor for use of tools to change group identifiers -w /usr/sbin/groupadd -p x -k group_modification -w /usr/sbin/groupmod -p x -k group_modification -w /usr/sbin/addgroup -p x -k group_modification -w /usr/sbin/useradd -p x -k user_modification -w /usr/sbin/usermod -p x -k user_modification -w /usr/sbin/adduser -p x -k user_modification # Login configuration and information -w /etc/login.defs -p wa -k login -w /etc/securetty -p wa -k login -w /var/log/faillog -p wa -k login -w /var/log/lastlog -p wa -k login -w /var/log/tallylog -p wa -k login # Network configuration -w /etc/hosts -p wa -k hosts -w /etc/network/ -p wa -k network # System startup scripts -w /etc/inittab -p wa -k init -w /etc/init.d/ -p wa -k init -w /etc/init/ -p wa -k init # Library search paths -w /etc/ld.so.conf -p wa -k libpath # Local time zone -w /etc/localtime -p wa -k localtime # Kernel parameters -w /etc/sysctl.conf -p wa -k sysctl # Modprobe configuration -w /etc/modprobe.conf -p wa -k modprobe # Pam configuration -w /etc/pam.d/ -p wa -k pam -w /etc/security/limits.conf -p wa -k pam -w /etc/security/pam_env.conf -p wa -k pam -w /etc/security/namespace.conf -p wa -k pam -w /etc/security/namespace.init -p wa -k pam # GDS specific secrets -w /etc/puppet/ssl -p wa -k puppet_ssl # Postfix configuration -w /etc/aliases -p wa -k mail -w /etc/postfix/ -p wa -k mail # SSH configuration -w /etc/ssh/sshd_config -k sshd # Changes to hostname -a exit,always -F arch=b32 -S sethostname -k hostname -a exit,always -F arch=b64 -S sethostname -k hostname # Changes to issue -w /etc/issue -p wa -k etcissue -w /etc/issue.net -p wa -k etcissue # Capture all failures to access on critical elements -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess # Monitor for use of process ID change (switching accounts) applications -w /bin/su -p x -k priv_esc -w /usr/bin/sudo -p x -k priv_esc -w /etc/sudoers -p rw -k priv_esc # Monitor usage of commands to change power state -w /sbin/shutdown -p x -k power -w /sbin/poweroff -p x -k power -w /sbin/reboot -p x -k power -w /sbin/halt -p x -k power # High volume events ---------------------------------------------------------- # Log all commands executed by an effective id of 0 aka root. -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd # Make the configuration immutable -------------------------------------------- #-e 2